How to sandbox AI coding agents without crippling them

The Problem: Your AI Agent Has Root

A few months back I was helping a team set up a self-hosted AI coding agent. Standard setup — an LLM with tool access, running on a shared dev server, able to read files, execute commands, hit APIs. The usual.

Then someone ran a prompt that included pasted output from an untrusted webpage. The agent dutifully interpreted some embedded instructions and started rm -rf'ing a directory it had no business touching.

Nothing critical was lost. But it could have been.

This is the dirty secret of running agents that execute code — by default, they run with whatever permissions your process has. If that process is your dev environment, your agent has access to your SSH keys, your cloud credentials, your git history. Everything.

The Problem: Your AI Agent Has Root

Nothing critical was lost. But it could have been.

How to sandbox AI coding agents without crippling them

How to sandbox AI coding agents without crippling them

Other newsrooms on this story

Related reading

Comparing Sandboxing Approaches for AI Agents | Docker

Solving the Local AI Sandbox Issue: How TaigaAI Keeps Your Workstation Safe

We built a scripting language just for AI agents. Here's why.

How to Lock Down an AI Agent Before It Goes Rogue

AI Coding Agent Horror Stories: Security Risks Explained | Docker

The Untrusted Autonomous Workload and AI Sandboxes | Docker

Related reading

Comparing Sandboxing Approaches for AI Agents | Docker

Solving the Local AI Sandbox Issue: How TaigaAI Keeps Your Workstation Safe

We built a scripting language just for AI agents. Here's why.

How to Lock Down an AI Agent Before It Goes Rogue

AI Coding Agent Horror Stories: Security Risks Explained | Docker

The Untrusted Autonomous Workload and AI Sandboxes | Docker

Other newsrooms on this story